Marriott International working with insurers after being hit by second data breach

The Marriott International hotel chain is working with insurers to assess its insurance coverage after the hospitality organisation was hit by another data breach, this time affecting an estimated 5.2 million hotel guests.

This is the second major security incident to target Marriott International in the last 16 months.

The hotel chain has been notifying guests about the incident, which involved its property system, as well as outlining how Marriott International will be addressing the situation.

The cyber attack involved a breach of information including contact details such as names, addresses, emails and phone numbers, loyalty card details, date of birth, gender and room preferences. The data leaked was not the same for all customers.

The Marriott International carries insurance; this included cyber insurance, commensurate with its size and the nature of its operations.The company does not currently believe that the total costs related to this incident will be significant.

In November 2018, Marriott International fell victim to a data breach that affected 500 million customers across the UK, US and Canada. It was subsequently fined £99.2m by the Information Commissioner’s Office (ICO) for exposing 339 million customers’ personal data. 

Eva Berg-Winters, founder and chief executive at cyber insurance MGA Bewica, told Insurance Times: ”It seems the hacker used the actual credentials of two employees. This is a very common form of attack and very similar to the Boots’ one, but with the difference that in this case, Marriott’s systems were actually compromised.

”Chances are this breach could have been prevented with multi-factor authentication (MFA). This is a good reminder for any organisation of the importance of turning on MFA.”

Ongoing investigation 

At the end of February this year, Marriott International identified that guest information may have been accessed using the login credentials of two employees at the franchise property.

Hotels operated under Marriott’s brands use an application to help provide services to guests at hotels.

The company believes that this activity started mid-way through January 2020; it was disabled upon discovery and the organisation immediately began an investigation, as well as implemented heightened monitoring and arranged resources to inform and assist guests.

It also notified relevant authorities and is supporting their external investigations.

The investigation is still ongoing, however Marriott International said in a statement that it “currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or pins, payment card information, national IDs or drivers’ license numbers”.

Meanwhile, Kate Bevan, computing editor at Which? said: “It’s very concerning that Marriott has reported yet another data breach affecting millions of its customers – it must keep them updated with clear information and help those negatively impacted.

“This breach seems to have involved criminals stealing full contact details from customers as well as personal data so we’d urge anyone who’s interacted with Marriott’s websites to be extra vigilant as this data can be used to mount convincing email scams.”